From owner-freebsd-pf@FreeBSD.ORG  Fri Apr 18 20:23:27 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7E7881065670
	for <freebsd-pf@freebsd.org>; Fri, 18 Apr 2008 20:23:27 +0000 (UTC)
	(envelope-from jay@jcornwall.me.uk)
Received: from vps1.jcornwall.me.uk (vps1.jcornwall.me.uk [193.227.111.74])
	by mx1.freebsd.org (Postfix) with ESMTP id 45BB28FC1A
	for <freebsd-pf@freebsd.org>; Fri, 18 Apr 2008 20:23:27 +0000 (UTC)
	(envelope-from jay@jcornwall.me.uk)
Received: from [82.70.152.19] (adder.home.jcornwall.me.uk [82.70.152.19])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by vps1.jcornwall.me.uk (Postfix) with ESMTP id 81D58520006
	for <freebsd-pf@freebsd.org>; Fri, 18 Apr 2008 21:24:14 +0100 (BST)
Message-ID: <48090340.50200@jcornwall.me.uk>
Date: Fri, 18 Apr 2008 21:23:28 +0100
From: "Jay L. T. Cornwall" <jay@jcornwall.me.uk>
User-Agent: Thunderbird 2.0.0.12 (X11/20080227)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
References: <4807E452.4090304@jcornwall.me.uk>
In-Reply-To: <4807E452.4090304@jcornwall.me.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: PF + if_bridge + NAT anomaly
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2008 20:23:27 -0000

Jay L. T. Cornwall wrote:

> Even without 'block out all', the simple presence of:
>   pass out quick on $bridge_if
> 
> Causes NAT to stop. tcpdump on vr1 shows that packets with private IPs
> are passing to the WAN (and being filtered upstream). What is causing
> NAT to stop functioning by the presence of a loose rule? Does the
> default 'pass all' have additional flags necessary for NAT to function
> correctly?

OK, I've solved this. Kind of.

By setting the sysctl net.link.bridge.pfil_bridge to 0 from its default 
1 the 'pass out' rule no longer breaks NAT. Oddly, a 'pass in' rule on 
bridge0 is still required even though if_bridge(4) would suggest otherwise:

net.link.bridge.pfil_bridge  Set to 1 to enable filtering on the bridge
                              interface, set to 0 to disable it.

OK, whatever. :)

-- 
Jay L. T. Cornwall
http://www.jcornwall.me.uk/